Once you’ve got a good dictionary or dictionary generator, the password would be calculated sooner or later. By signing your SOAP message, it only ensures the message will not be altered during the origin request to the destination, however you can use the similar way to get the password too.

All in all, if you want to have a real secure password, you need to sign/encrypt the sensitive data by a secret( x509 certificate as public, private key encryption). Still there was girl, I heard from some news, from a Chinese University, had found a quickest way to hack the public,private(asymmetric) key encryption. (symmetric key or single private key encryption is weaker than asymmetric)

The reason public,private key encryption is secure is that the private key is extremely hard to calculate, nearly impossible to derive it from its public key which can be known by everyone. The trade-off of using asymmetric key encryption is the processing algorithm which is thousands times slower than single private key encryption. The single private key mechanism can make your message relatively secure, but it is hard to maintain. e.g. each party needs to have the same private key and the live period of the private key should not be too long which involving all the parties to synchronise the key. This starts a management issue.

The final question is
Is your message so important to let other know or does your client side have the resources or plan to implement and maintain this? If the answer is yes, definitely do it.